Nation-State Cyberattacks are NOT Terrorism, asserts RAND expert

According to Martin C. Libicki, even when backed by nation-states, cyberattacks are not terrorism and should not be considered a national-security concern. Do you agree?

Libicki is a senior management scientist at the nonprofit, nonpartisan RAND corporation. In an article on the topic for Newsweek, Libicki defines terrorism as “the use of attacks to create visceral fear,” and he claims that cyberattacks do not fit that definition. Merriam-Webster Dictionary defines “visceral” as “coming from strong emotions and not from logic or reason.” Do cyberattacks cause visceral fear? Below is a breakdown of Libicki’s argument that they do not.

Sony Attack

According to Libicki, the Sony attack was not decisive until there was a threat of actual terror: the threats made on the physical theaters that showed the film. To support this claim, Libicki points out that Sony did not withdraw the film until the threats transitioned from threats of cyberattacks to threats of 9/11 style attacks on theaters showing the film.

Following a discussion on the Sony Attacks, Libicki commentated on various cyberattacks reported throughout the years. Libicki seems to minimalize these attacks by continually referring to them as merely “trashing computers.” Libicki appears again to minimalize these attacks by pointing out that “most computers are rendered inoperable from criminal not terrorist reasons.”

Attacks on Critical Infrastructure

Libicki points out that the number one fear when it comes to cyberattacks is that an attack will shut down critical infrastructure or confound a network-centric military. According to Libicki, these are “hard targets” and the chance they will be hit is rare essentially because it has not yet been accomplished. Libicki focuses on the fact that most cyberattacks, like physical terrorist attacks, have been focused on “soft targets” in which “security may have been an afterthought.” In the cyberworld, the soft targets are corporations such as those involved in the entertainment industry, and in the physical world, the soft targets are undefended places where people congregate such as coffee shops, food markets, and trains.

Cyberattacks are Weapons of…the weak?

If either Iran or North Korea were strong and influential, they might have been able to head off being treated with what they regarded as such disrespect by tried-and-true methods of pressure and financial leverage. But they are weak players and had to use other, more disruptive methods.

Are cyberattacks weapons of the weak? Libicki argues that even conventional terrorism is a weapon by those without the ability to carry out conventional military tasks such as defending populations, or attacking the other side’s military. However, given the advancement of technology, is it really fair to say that strong nation-states will always defer to conventional military tasks? Even the United States has the ability to use hacking operations to go on the offensive.

Cyberattacks Do Not Share the Motives of Terrorist Attacks

Libicki argues that “political motives” are unprecedented for hacks as large as those against Sony, yet hacking to make a political point has been around as long as hacking. However, using the Charlie Hebdo attack as an example, Libicki states that we should be more fearful of the real terrorist threats that come from “political motives” rather than “what we might strain to label as cyberterrorism.”

Libicki also differentiates cyberattacks from physical terrorism by claiming that hackers gain something from their attacks and that real, physical terrorists “gain nothing for themselves; their entire interaction with their victims is one of loss.” This statement comes down to what you define as “gaining something,” as many would argue that physical terrorists act from a powerful motive that serves them tremendously more than any economic figure or other benefit.

Cyberattacks Lack Element of “Terror”

The article goes on to claim that cyberattacks do not really create any terror.

[T]here is no reason why hackers should be taken seriously as experts in killing people.

First of all, given the recent research on the ability of hackers to potentially hack into medical devices and airplanes (to name a few), is it fair to say that hackers should not be taken seriously as experts in killing people? If a person were to hijack a plane, and physically cut the wiring causing the plane to crash, is that any different from a hacker causing the same result externally? Moreover, keep in mind that a single hacker can cause this damage to multiple planes at the same time.

One might point out that the physical damage is what creates the terror rather than the hacking, however, is this mere semantics? Does the fact that the chain reaction began in the cyber realm and ended in the physical realm really remove the cyber aspect from the equation when analyzing the damage?

[I]t is very difficult to generate a credible hacking threat against a specific target.

Is a threat any less credible coming from a hacker than a physical terrorist? According to Libicki, once the hacking threat is made, the victims are able to find ways of countering it, “either by fixing faults, or by taking pains to disable network features that they otherwise find valuable.” How different is this from physical threats? Areas can be evacuated, and officers can add more security protection. In both the cyber and physical world the threats often outnumber the resources available to counter them. As a result, only certain threats are determined serious enough for a response, and making that determination is often difficult if not impossible. Moreover, in an ever-advancing cyberworld, wouldn’t the prevention and counter of cyber threats be more difficult?

Libicki also differentiates cyberattacks from ‘real terrorism’ by claiming that “visceral fear causes irrational behavior,” and that a cyberattacks do not cause people to act irrationally. Libicki uses the example of 9/11, explaining that after 9/11 many individuals choose to drive rather than fly despite the odds of death per mile traveled are considerably higher. On the other hand, Libicki explained that in a cyberattacks like the Sony attack, companies now have to enter the risk of cyberattacks into their calculus of costs and profits from moviemaking, just as they do with other risks.

Do you agree? Did the Sony attack and others like it only create an economic fear with an easy fix? Think again about the airplane analogy. Would a man physically cutting the wiring on a plane create a “visceral fear” that a hacker causing the same damage could not?

Cyberattacks Are Neither Public Safety Concerns Nor Are They National Security Concerns

According to Libicki, countries can choose to treat terrorism as a threat to public safety or a national security threat, and the logic of treating cyberattacks as either “is strained.”

Inasmuch as cyberattacks have yet to hurt anyone directly, non-military cyberattacks can be treated almost entirely in economic terms. There is no sound alternative to a cost-minimization test of public policy.

[T]he conventional military threat remains the big dog; cyberattacks are no more than the small tail by comparison.

Professor William Snyder

Ryan D. White

Ryan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.

Christopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.

Anna Maria Castillo

is 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review.

Jennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.)